From: Victor Julien Date: Sun, 26 Feb 2017 13:19:43 +0000 (+0100) Subject: app-layer: change logic of setting 'no reassembly' X-Git-Tag: suricata-4.0.0-beta1~161 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bf3f3ce6b27ee4210e09e93072c119d4caf71725;p=thirdparty%2Fsuricata.git app-layer: change logic of setting 'no reassembly' Instead of killing all reassembly instantly do things slightly more gracefully: 1. disable app-layer reassembly immediately 2. flag raw reassembly not to accept new data This will allow the current data to be inspected still. After detect as run the raw reassembly will be fully disabled and thus all reassembly will be as well. --- diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c index c12eee7359..a87e08e921 100644 --- a/src/app-layer-smtp.c +++ b/src/app-layer-smtp.c @@ -1892,8 +1892,8 @@ static int SMTPParserTest01(void) if (!(f.flags & FLOW_NOPAYLOAD_INSPECTION) || !(ssn.flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) || - !(((TcpSession *)f.protoctx)->server.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY) || - !(((TcpSession *)f.protoctx)->client.flags & STREAMTCP_STREAM_FLAG_NOREASSEMBLY)) { + !(((TcpSession *)f.protoctx)->server.flags & STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED) || + !(((TcpSession *)f.protoctx)->client.flags & STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED)) { goto end; } diff --git a/src/stream-tcp-list.c b/src/stream-tcp-list.c index 4d2f56160e..fbd697d871 100644 --- a/src/stream-tcp-list.c +++ b/src/stream-tcp-list.c @@ -748,6 +748,12 @@ void StreamTcpPruneSession(Flow *f, uint8_t flags) stream->flags |= STREAMTCP_STREAM_FLAG_NOREASSEMBLY; SCLogDebug("ssn %p: reassembly depth reached, " "STREAMTCP_STREAM_FLAG_NOREASSEMBLY set", ssn); + } else if ((ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) && + (stream->flags & STREAMTCP_STREAM_FLAG_DISABLE_RAW)) + { + SCLogDebug("ssn %p: both app and raw are done, " + "STREAMTCP_STREAM_FLAG_NOREASSEMBLY set", ssn); + stream->flags |= STREAMTCP_STREAM_FLAG_NOREASSEMBLY; } uint64_t left_edge = GetLeftEdge(ssn, stream); diff --git a/src/stream-tcp-reassemble.c b/src/stream-tcp-reassemble.c index 94d8335d3c..6559024200 100644 --- a/src/stream-tcp-reassemble.c +++ b/src/stream-tcp-reassemble.c @@ -1244,6 +1244,9 @@ bool StreamReassembleRawHasDataReady(TcpSession *ssn, Packet *p) * 2. progress is 0, meaning the detect engine didn't touch * raw at all. In this case we need to look into progressing * raw anyway. + * + * Additionally, this function is tasked with disabling raw + * reassembly if the app-layer requested to disable it. */ void StreamReassembleRawUpdateProgress(TcpSession *ssn, Packet *p, uint64_t progress) { @@ -1302,6 +1305,8 @@ void StreamReassembleRawUpdateProgress(TcpSession *ssn, Packet *p, uint64_t prog (uint)STREAM_RAW_PROGRESS(stream), (uint)stream->window); } + /* if we were told to accept no more raw data, we can mark raw as + * disabled now. */ if (stream->flags & STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED) { stream->flags |= STREAMTCP_STREAM_FLAG_DISABLE_RAW; SCLogDebug("ssn %p: STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED set, " diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 5ecb702c0f..56e7809ada 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -5510,16 +5510,22 @@ invalid: SCReturnInt(-1); } -/** \brief Set the No reassembly flag for the given direction in given TCP - * session. +/** \brief disable reassembly + + * Disable app layer and set raw inspect to no longer accept new data. + * Stream engine will then fully disable raw after last inspection. * * \param ssn TCP Session to set the flag in * \param direction direction to set the flag in: 0 toserver, 1 toclient */ void StreamTcpSetSessionNoReassemblyFlag (TcpSession *ssn, char direction) { - direction ? (ssn->server.flags |= STREAMTCP_STREAM_FLAG_NOREASSEMBLY) : - (ssn->client.flags |= STREAMTCP_STREAM_FLAG_NOREASSEMBLY); + ssn->flags |= STREAMTCP_FLAG_APP_LAYER_DISABLED; + if (direction) { + ssn->server.flags |= STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED; + } else { + ssn->client.flags |= STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED; + } } /** \brief Set the No reassembly flag for the given direction in given TCP